[Packetbeat] Update DNS protocol to use ECS fields #9941
Conversation
| @@ -532,6 +532,30 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE. | |||
| -------------------------------------------------------------------- | |||
| Dependency: github.com/elastic/ecs | |||
| Revision: 69de90eb6493e0804405321f48adfdfa488d6498 | |||
There was a problem hiding this comment.
My first though was to fix it to Beta2 but at this stage the go code was not in yet :-(
There was a problem hiding this comment.
Luckily the code generated from this commit is exactly the same as what would be in beta2 if I backported (I started a backport and realized they’d be the same).
|
The are no changes needed to fields.yml in this PR. When I finish updating the last protocol in Packetbeat then there should be several updates to removing unused fields. And then I can add aliases to ecs-migration.yml. None of the DNS specific fields were changed. I’ll update the changelog. |
|
CHANGELOG.next is now updated. |
|
As far as I can see for example For the What we often do in these ECS migration PR's is also having in the PR description the list of fields which we renamed. |
Update NOTICE
This updates the DNS protocol to have more closely follow ECS. The DNS tunneling dashboard has been updated to work with the new field names. In order to better interoperate with other data sources the trailing dot has been removed from domain names. For example, previously Packetbeat would produce `dns.question.name:elastic.co.` and now it will simply produce `dns.question.name:elastic.co`. It's a breaking change but it will be make it easier to pivot with other data sources. Part of elastic#7968 Here's a summary of what fields changed. Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - notes -> error.message - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.end - event.start - network.bytes - network.community_id - network.protocol = dns - network.transport = udp/tcp - network.type Unchanged Packetbeat Fields - method - dns opcode - query = class {{ dns.question.class }}, type {{ dns.question.type }}, {{ dns.question.name }} - request - text representation of the entire request - response - text representation of the entire response - resource - dns.question.name - status - type = dns (we might remove this since we have event.dataset)
No aliases yet because these fields are still used.
andrewkroh
force-pushed
the
feature/pb/ecs-fields
branch
from
7d7e585
to
eca5b23
Compare
|
@ruflin I added a few fields to ecs-migration.yml (all with Can you please take another look. |
There was an ID collision over the `DNS` ID.
andrewkroh
force-pushed
the
feature/pb/ecs-fields
branch
from
8c38eda
to
44d02fa
Compare
With low resolution timers on Windows it's very possible that an event can have an event.duration=0 and we want to send that field when this occurs.
andrewkroh
force-pushed
the
feature/pb/ecs-fields
branch
from
44d02fa
to
6b17673
Compare
This updates the DNS protocol to have more closely follow ECS.
The DNS tunneling dashboard has been updated to work with the new
field names.
In order to better interoperate with other data sources the trailing dot
has been removed from domain names. For example, previously Packetbeat
would produce
dns.question.name:elastic.co.and now it will simply producedns.question.name:elastic.co. It's a breaking change but it will be make iteasier to pivot with other data sources.
Part of #7968
Here's a summary of what fields changed.
Changed
Added
Unchanged Packetbeat Fields